404-865-1289

Boost IT

IT Management & Cybersecurity

HIPAA

6 Steps to Avoid HIPAA Fines

by

In 2016 we will see more HIPAA audits and increased HIPAA fines. In 2015, there were 10 times more audits than in the last 10 years combined and currently, 70% of healthcare organizations would fail an audit. This article in Healthcare IT News is an indication of what’s coming.

Here are the 6 Steps to avoid HIPAA fines.

Most Common Mistakes

The two most common mistakes a practice makes in becoming HIPAA compliant is:

  1. thinking that a risk analysis is enough
  2. having an insufficient set of written policies

The rules put forth by the government to comply with HIPAA laws are complex and all of them need to be addressed.

What does the HIPAA law require?

The HIPAA Privacy regulations require healthcare providers and their business associates to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. What does that look like?

  1. Risk Analysis (the discovery of deficiencies that a practice has in relation to the HIPAA Privacy and Security Rule),
  2. Risk Management (the remediation of the deficient items),
  3. Policies and procedures addressing each section of the Privacy and Security Rule,
  4. Vendor management (making sure proper Business Associate Agreements and assurances that the Business Associate is complying with the HIPAA Security Rule are in place)
  5. the staff has attested to each privacy and security policy and they have taken a HIPAA 101 training course and successfully attest they understand the basics of HIPAA

How to Avoid HIPAA Fines?

The best way to avoid being fined by an auditor is to show due diligence. What is that? It is making a good faith effort in complying with the rules, documenting all findings, and being able to show anyone your compliance plan and efforts.

Detailed HIPAA fines or penalties can be found at the American Medical Association.

The 6 Steps:

  1. You must have a risk analysis that audits you for administrative risk (policies and procedures), technical risk (how are you safeguarding the access to and protection of ePHI that resides on your systems), and physical risk (assessing how you are protecting the data within the four walls of your site or sites.
  2. You must remediate (fix) all deficiencies that were found during the risk analysis and document what you did to resolve the deficiency.
  3. You must have policies and procedures covering all aspects of HIPAA Privacy and Security and HITECH (breach notification).
  4. You must educate your staff with training and track their attestation that they understand all the new policies and procedures you have put into place to safeguard protected health information.
  5. You must identify your business associates (BA) and make sure you
    have up to date BA agreements in place. If possible get assurances the BA you share data with is complying with the HIPAA Security Rule.
  6. Finally you need to create a culture of compliance that everyone takes HIPAA and safeguarding ePHI to a different level of protection.

Contact us at 404-865-1289 if your healthcare organization needs a risk assessment or compliance support. Some information courtesy of The Compliancy Group.

HIPAA Compliance Assessment and Risk Analysis

by

HIPAA Assessment and Risk AnalysisHIPAA Compliance Assessment and Risk Analysis

The HIPAA assessment can include documentation for a number of different modules.  There is a link to download a FREE HIPAA Assessment tool below.

HIPAA Policies & Procedures

The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the HIPAA Security Rule. The policies spell out what your organization will do while the procedures detail how you will do it.

In the event of an audit, the first thing an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific code sections in the Security Rule and supported by the other reports include with the HIPAA Compliance module.

HIPAA Risk Analysis

HIPAA is a risk-based security framework and the production of a Risk Analysis is one of primary requirements of the HIPAA Security Rule’s Administrative Safeguards. In fact, a Risk Analysis is the foundation for the entire security program.

It identifies:

  • the locations of electronic Protected Health Information (ePHI,)
  • vulnerabilities to the security of the data, threats that might act on the vulnerabilities
  • estimates both the likelihood and the impact of a threat acting on a vulnerability.

The Risk Analysis helps HIPAA Covered Entities and Business Associates identify:

  1. the locations of their protected data,
  2. how the data moves within, and in and out of, the organization
  3. what protections are in place, and
  4. where there is a need for more protections

The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI. The value of a Risk Analysis cannot be overstated. Every major data breach enforcement of HIPAA, some with penalties over $1 million, have cited the absence of, or an ineffective, Risk Analysis as the underlying cause of the data breach. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect ePHI.

In fact, HealthIT.gov provides a FREE HIPAA Risk Analysis tool you can download and run yourself.

HIPAA Risk Profile

A Risk Analysis should be done no less than once a year. However, we can create an abbreviated version of the Risk Analysis called the HIPAA Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner.

Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach.

Other Reports

We can also complete a HIPAA Management Plan report, Evidence of HIPAA Compliance report, Disk Encryption Report, File Scan Report, and User and Computer Identification Reports.

Call Boost IT at 404-865-1289 if you want to get in compliance.  It’s easier than you think.

TAKE SELF-ASSESTMENT